And they get the same thing when they give you the rogue phone back and you try to unlock it, at which point it sends the PIN to them and they can use it to unlock your original phone and then mount it over the network to display the same data until they've finished copying it.
We're talking about the fingerprint reader, which makes sense to require the phone to be unlocked to replace to prevent someone from doing it without your knowledge.
Though even that only makes the attack more expensive, because again, they can just replace the whole phone. Doing that undetected is harder because you have to connect the rogue phone to the original one as soon as they give the rogue phone what you need to unlock the original, which is a sophisticated attack. Though manufacturing custom malicious hardware already implies a pretty sophisticated attack.
So they can repair your phone.
And they get the same thing when they give you the rogue phone back and you try to unlock it, at which point it sends the PIN to them and they can use it to unlock your original phone and then mount it over the network to display the same data until they've finished copying it.